php - 如何使用 slim 3 Rest API 授权 google-api-php-client？

Question

我正在尝试创建一个基于网络的电子邮件客户端，它从谷歌邮件 API 获取所有电子邮件数据。我正在使用 Slim3 创建一个 Restful API 接口(interface)。要访问谷歌 API，我正在使用 Google-API-PHP-Client(谷歌确实有一个休息 API 访问权限，我真的很喜欢它，但我仍然没有弄清楚如果不使用 PHP-client-library 授权将如何工作).

我的主要问题是我如何构造其中的身份验证部分，因为谷歌使用 Oauth2 进行登录并提供代码。我可以在 Slim 中使用基于 token 的简单例份验证，但我该如何实现以下目标:

1. Google 的身份验证/授权。
2. 识别新用户与回访用户。
3. 维护和保留来自 Google 和本地 API 的访问和刷新 token
4. 由于 API 将同时用于移动客户端和网络浏览器，我无法使用 PHP 的默认 session - 我依赖于数据库驱动的自定义 token 。

如何构建 API？

一种方法是使用谷歌的 token 作为应用程序中的唯一 token - 但它每小时都在变化，所以我如何通过 token 识别用户 - 为每个来电调用谷歌 API 似乎不是一个优雅的解决方案。

任何线索/链接都会非常有帮助。

提前致谢

Answer 1

注意有两部分:

1. 授权
2. 身份验证

我最近使用 Google 创建了这个非常轻量级的 Authorization 类，访问其 REST API。注释不言自明。

/**
 * Class \Aptic\Login\OpenID\Google
 * @package Aptic\Login\OpenID
 * @author Nick de Jong, Aptic
 *
 * Very lightweight class used to login using Google accounts.
 *
 * One-time configuration:
 *  1. Define what the inpoint redirect URIs will be where Google will redirect to upon succesfull login. It must
 *     be static without wildcards; but can be multiple as long as each on is statically defined.
 *  2. Define what payload-data this URI could use. For example, the final URI to return to (the caller).
 *  3. Create a Google Project through https://console.developers.google.com/projectselector/apis/credentials
 *  4. Create a Client ID OAth 2.0 with type 'webapp' through https://console.developers.google.com/projectselector/apis/credentials
 *  5. Store the 'Client ID', 'Client Secret' and defined 'Redirect URIs' (the latter one as defined in Step 1).
 *
 * Usage to login and obtain user data:
 *  1. Instantiate a class using your stored Client ID, Client Secret and a Redirect URI.
 *  2. To login, create a button or link with the result of ->getGoogleLoginPageURI() as target. You can insert
 *     an array of payload data in one of the parameters your app wants to know upon returning from Google.
 *  3. At the Redirect URI, invoke ->getDataFromLoginRedirect(). It will return null on failure,
 *     or an array on success. The array contains:
 *       - sub             string  Google ID. Technically an email is not unique within Google's realm, a sub is.
 *       - email           string
 *       - name            string
 *       - given_name      string
 *       - family_name     string
 *       - locale          string
 *       - picture         string  URI
 *       - hdomain         string  GSuite domain, if applicable.
 *     Additionally, the inpoint can recognize a Google redirect by having the first 6 characters of the 'state' GET
 *     parameter to be 'google'. This way, multiple login mechanisms can use the same redirect inpoint.
 */
class Google {
  protected $clientID       = '';
  protected $clientSecret   = '';
  protected $redirectURI    = '';

  public function __construct($vClientID, $vClientSecret, $vRedirectURI) {
    $this->clientID = $vClientID;
    $this->clientSecret = $vClientSecret;
    $this->redirectURI = $vRedirectURI;
    if (substr($vRedirectURI, 0, 7) != 'http://' && substr($vRedirectURI, 0, 8) != 'https://') $this->redirectURI = 'https://'.$this->redirectURI;
  }

  /**
   * @param string $vSuggestedEmail
   * @param string $vHostedDomain   Either a GSuite hosted domain, * to only allow GSuite domains but accept all, or null to allow any login.
   * @param array $aPayload         Payload data to be returned in getDataFromLoginRedirect() result-data on succesfull login. Keys are not stored, only values. Example usage: Final URI to return to after succesfull login (some frontend).
   * @return string
   */
  public function getGoogleLoginPageURI($vSuggestedEmail = null, $vHostedDomain = '*', $aPayload = []) {
    $vLoginEndpoint  = 'https://accounts.google.com/o/oauth2/v2/auth';
    $vLoginEndpoint .= '?state=google-'.self::encodePayload($aPayload);
    $vLoginEndpoint .= '&prompt=consent'; // or: select_account
    $vLoginEndpoint .= '&response_type=code';
    $vLoginEndpoint .= '&scope=openid+email+profile';
    $vLoginEndpoint .= '&access_type=offline';
    $vLoginEndpoint .= '&client_id='.$this->clientID;
    $vLoginEndpoint .= '&redirect_uri='.$this->redirectURI;

    if ($vSuggestedEmail) $vLoginEndpoint .= '&login_hint='.$vSuggestedEmail;
    if ($vHostedDomain)   $vLoginEndpoint .= '&hd='.$vHostedDomain;
    return($vLoginEndpoint);
  }

  /**
   * Call this function directly from the redirect URI, which is invoked after a call to getGoogleLoginPageURL().
   * You can either provide the code/state GET parameters manually, otherwise it will be retrieved from GET automatically.
   * Returns an array with:
   *  - sub             string  Google ID. Technically an email is not unique within Google's realm, a sub is.
   *  - email           string
   *  - name            string
   *  - given_name      string
   *  - family_name     string
   *  - locale          string
   *  - picture         string  URI
   *  - hdomain         string  G Suite domain
   *  - payload         array   The payload originally provided to ->getGoogleLoginPageURI()
   * @param null|string $vCode
   * @param null|string $vState
   * @return null|array
   */
  public function getDataFromLoginRedirect($vCode = null, $vState = null) {
    $vTokenEndpoint = 'https://www.googleapis.com/oauth2/v4/token';
    if ($vCode === null)  $vCode  = $_GET['code'];
    if ($vState === null) $vState = $_GET['state'];
    if (substr($vState, 0, 7) !== 'google-') {
      trigger_error('Invalid state-parameter from redirect-URI. Softfail on login.', E_USER_WARNING);
      return(null);
    }
    $aPostData = [
        'code' => $vCode,
        'client_id' => $this->clientID,
        'client_secret' => $this->clientSecret,
        'redirect_uri' => $this->redirectURI,
        'grant_type' => 'authorization_code'
    ];
    curl_setopt_array($hConn = curl_init($vTokenEndpoint), [
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_HEADER         => false,
        CURLOPT_FOLLOWLOCATION => true,
        CURLOPT_USERAGENT      => defined('PROJECT_ID') && defined('API_CUR_VERSION') ? PROJECT_ID.' '.API_CUR_VERSION : 'Aptic\Login\OpenID\Google PHP-class',
        CURLOPT_AUTOREFERER    => true,
        CURLOPT_SSL_VERIFYPEER => false,
        CURLOPT_POST           => 1
    ]);
    curl_setopt($hConn, CURLOPT_POSTFIELDS, http_build_query($aPostData));
    $aResult = json_decode(curl_exec($hConn), true);
    curl_close($hConn);
    if (is_array($aResult) && array_key_exists('access_token', $aResult) && array_key_exists('refresh_token', $aResult) && array_key_exists('expires_in', $aResult)) {
      $aUserData = explode('.', $aResult['id_token']); // Split JWT-token
      $aUserData = json_decode(base64_decode($aUserData[1]), true); // Decode JWT-claims from part-1 (without verification by part-0).
      if ($aUserData['exp'] < time()) {
        trigger_error('Received an expired ID-token. Softfail on login.', E_USER_WARNING);
        return(null);
      }
      $aRet = [
          // 'access_token'  => $aResult['access_token'],
          // 'expires_in'    => $aResult['expires_in'],
          // 'refresh_token' => $aResult['refresh_token'],
          'sub'           => array_key_exists('sub',          $aUserData) ? $aUserData['sub']         : '',
          'email'         => array_key_exists('email',        $aUserData) ? $aUserData['email']       : '',
          'name'          => array_key_exists('name',         $aUserData) ? $aUserData['name']        : '',
          'given_name'    => array_key_exists('given_name',   $aUserData) ? $aUserData['given_name']  : '',
          'family_name'   => array_key_exists('family_name',  $aUserData) ? $aUserData['family_name'] : '',
          'locale'        => array_key_exists('locale',       $aUserData) ? $aUserData['locale']      : '',
          'picture'       => array_key_exists('picture',      $aUserData) ? $aUserData['picture']     : '',
          'hdomain'       => array_key_exists('hd',           $aUserData) ? $aUserData['hd']          : '',
          'payload'       => self::decodePayload($vState)
      ];

      return($aRet);
    } else {
      trigger_error('OpenID Connect Login failed.', E_USER_WARNING);
      return(null);
    }
  }

  protected static function encodePayload($aPayload) {
    $aPayloadHEX = [];
    foreach($aPayload as $vPayloadEntry) $aPayloadHEX[] = bin2hex($vPayloadEntry);
    return(implode('-', $aPayloadHEX));
  }

  /**
   * You generally do not need to call this method from outside this class; only if you
   * need your payload *before* calling ->getDataFromLoginRedirect().
   * @param string $vStateParameter
   * @return array
   */
  public static function decodePayload($vStateParameter) {
    $aPayload = explode('-', $vStateParameter);
    $aRetPayload = [];
    for($i=1; $i<count($aPayload); $i++) $aRetPayload[] = hex2bin($aPayload[$i]);
    return($aRetPayload);
  }

}

一旦函数 getDataFromLoginRedirect 返回用户数据，您的用户就被授权。这意味着您现在可以发布自己的内部身份验证 token 。

因此，对于身份验证，维护您自己的用户数据表，使用sub 或email 作为主要标识符并为他们颁发 token ，具有适当的过期机制。 Google token 本身不一定要存储，因为它们仅在后续的 Google API 调用中需要；这取决于您的用例。不过，对于您自己的应用程序，您自己的 token 机制足以进行身份​​验证。

回到你的问题:

Google 的身份验证/授权。

如上所述。

识别新用户与回访用户。

可以通过你的数据表中用户的存在来判断。

维护和保留来自 google 和本地 API 的访问和刷新 token

问问自己是否真的需要。如果是这样，您可以在每 x 个请求时刷新，或者在到期时间少于 x 分钟后刷新(即，在这种情况下，这将是您的应用程序的超时)。如果你真的需要你的 token 保持有效，你应该设置一个守护进程机制来定期刷新你的用户 token 。